Touching the Untouchables - Dynamic Security Analysis of the LTE Control Plane

Explore a comprehensive analysis of LTE control plane security in this IEEE conference talk. Delve into the dynamic testing of control components in operational Long Term Evolution networks using LTEFuzz, a semi-automated testing tool. Learn about the systematic generation of test cases based on three fundamental security properties derived from LTE standards. Discover 36 previously undisclosed vulnerabilities categorized into five types: improper handling of unprotected initial procedures, crafted plain requests, messages with invalid integrity protection, replayed messages, and security procedure bypass. Examine proof-of-concept attacks demonstrating the impact of these vulnerabilities, including denial of LTE services, SMS spoofing, and eavesdropping on user data traffic. Gain insights into root cause analysis and potential countermeasures for addressing these security issues. Understand the ethical considerations and involvement of cellular carriers in verifying findings within commercial LTE networks.

Intro
LTE communication is everywhere
LTE network architecture
Previous studies and its limitations
Challenges in active network testing
Overview of LTEFuzz
Generating test cases
Executing test cases
Operational networks are complicated
Classifying the problematic behavior
LTEFuzz test environment
Implementation
Findings
Remote de-register attack
Responsible disclosure
Conclusion